How Do You Use TLS with Nginx?

Problem scenario
You know how to use TLS with Node.js because of this article.  You want to use TLS with Nginx to test it out with a regular web browsing session.  You want to implement TLS without Node.js.  How do you set up TLS (without paying a certificate authority and without Node.js)?

This assumes that port 443 is not blocked from the workstation to the Nginx server.

1.  Install Nginx on Linux.  As an example, we'll install Nginx on an Ubuntu server in AWS (with a security group that allows inbound connectivity on ports 80 and 443 from the workstation).  Run this command from the Ubuntu server:
sudo apt-get -y install nginx

2.  Test it.  
  a)  From a Windows workstation open I.E. and go to the external IP address of the server.
  b)  In I.E. go to Page -> Properties. Click on Certificates.  You should see a pop up that says "This type of document does not have a security certificate."

3.  Create a certificate and key file.
   a) Go to the Nginx server on the backend.  
   b) From the command prompt, run these four commands:
cd /etc/nginx
sudo mkdir tlsfiles
cd tlsfiles
sudo openssl req -newkey rsa:2048 -nodes -keyout contint.key -x509 -days 9999 -out contint.crt

# Respond to the prompts however you see fit.  For the sixth (and penultimate) prompt you will be asked "Common Name (e.g. server FQDN or YOUR name) []:"  Enter the external IP address of the server.

4.  Modify the /etc/nginx/nginx.conf file.  You may want to make a back up first.  In the http {} block enter these lines directly under the "http {" stanza where x.x.x.x is the external IP address of the Nginx server:

  server {
    listen              80;
    listen              443 ssl;
    server_name         x.x.x.x;
    ssl_certificate     /etc/nginx/tlsfiles/contint.crt;
    ssl_certificate_key /etc/nginx/tlsfiles/contint.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl                 on;

5.  Restart Nginx.  To do this, run these two commands:

sudo service nginx stop
sudo service nginx start

6.  Import the certificate file into a workstation.  As an example, we'll use IE on Windows 7.  
  a)  Open the file /etc/nginx/tlsfiles/contint.crt
  b)  Copy the text into a Notepad on the Windows workstation.  Save it anywhere as "contint.crt".
  c)  Close the Notepad.  
  d)  Hold the Windows button and tap "r."  Enter "mmc" with no quotes and press enter.  Click "Yes" to the UAC prompt.
  e)  Go to File -> Add/Remove Snap-in.  Under "Available snap-ins" highlight Certificates and click "Add >".  For the pop-up choose "My user account" and click "Finish."  Click "OK."
  f) Expand "Certificates - Current User".  Right click "Trusted Root Certification Authorities" and choose "All Tasks" -> "Import".  Click "Next".  For "File name" browse to where you save "contint.crt" in sub-step "b" directly above.  Click "Next" and then click the following "Next".  Click "Finish."  
  g)  For the "Security Warning" about installing the certificate, just click "Yes".  Click "Ok" to the next message.

7.  Open a IE and go to this URL:
https://x.x.x.x where x.x.x.x is the IP address of the Nginx server (e.g., the external IP address of the AWS server).    

8.  Test it.  Open I.E. and go to the external IP address of the server. In I.E. go to Page -> Properties. Click on Certificates.  Click on Certification Path.  The certificate status should say "This certificate is OK."

Leave a comment

Your email address will not be published. Required fields are marked *